HIPAA Changes Go Into Effect on September 23, 2013 – Is Your Pharmacy Ready?


An overview of some changes to HIPAA and resources to help you ensure your pharmacy’s compliance.

Note: The content provided here is purely for informational purposes and does not constitute legal advice. You are solely responsible for investigating and complying with all applicable laws, rules and regulations that govern the operation of your business. If you need legal advice, contact your attorney.

When Did HIPAA Change? When Do the Changes Go into Effect? 

HIPAA (the Health Insurance Portability and Accountability Act) was originally enacted in August 1996. In August 2002, the Department of Health and Human Services (HHS) publicized the national standards for the electronic exchange, privacy and security of certain individually identifiable health information.

Effective March 26, 2013, HIPAA and the associated Privacy Rule have undergone their most significant update. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Omnibus Final Privacy Rule with respect to voluntary compliance activities and civil money penalties.[i] HHS states the purpose of the Omnibus Final Rule is to strengthen the privacy and security protections for individuals’ health information, to modify rules dealing with breach notification, and to increase the flexibility and decrease the burden on regulated entities. A major goal is to strike a balance that permits the use of important information to provide and promote high-quality healthcare, while protecting the privacy of people who seek care and healing.[ii]

Covered entities, including most pharmacies, must comply with applicable requirements and update associated policies and procedures (P&P) by September 23, 2013.

What Specifically Has Changed?

On the website HIPAA Survival Guide (www.hipaasurvivalguide.com), lawyer Carlos Leyva emphasized that much of the Omnibus Rule is not new rulemaking, but is finalization of interim rules.[iii] A few of the important changes include:

Area of ChangeDescription of Change
DefinitionsThere are changes in the definitions of some terms such as “business associate” and “protected health information” (PHI). The most significant change is to “business associates,” who are contractors and sub-contractors of covered entities with access to PHI. Covered entities are now required to obtain “satisfactory assurances” from their business associates that PHI will be protected by them (and business associates must provide the same assurances from their business associates), ensuring a chain of assurances.As a result, existing business associate agreements will need to be evaluated and may need to be modified. Information about business associate agreements, including some sample provisions, is available from HHS on the HHS website.
Enforcement RuleThe Enforcement Rule has been strengthened, penalties have been significantly increased, and OCR’s enforcement activity is being stepped up. Audits were previously complaint-driven but will now be proactive. HHS has made audit protocols available as a resource.
Security RuleChanges to the Security Rule deal with incremental adjustments to existing HIPAA security rules and relatively modest changes to security practices.
Privacy RuleExtensive changes were made to the Privacy Rule. Here’s a little more information on just some of the changes:NPP (Notice of Privacy Practices)

  • Changes in basic definitions, access to records, restrictions to PHI, and communicating and accounting of disclosures mean pharmacies will need to evaluate NPP and modify as necessary to ensure consistency with the Final Rule.
  • The NPP must be made available, such as posting in store and making available on the pharmacy’s website. (Note: No requirement to proactively send out a notice informing customers of the updated NPP, as health plans are required.iii)

PHI (Personal Health Information)

  • Individuals will be able to access their own PHI.
  • Restrictions on using PHI for “marketing” activities, including requiring signed patient authorization to use PHI for marketing. (Note: individual authorization is not required for most refill reminders and other pharmacy communications that deal with a currently prescribed drug or biologic.[iv])
  • “Business associates” are directly liable for uses and disclosure of PHI.
Breach Notification RulePer the HITECH Act, a covered entity must provide notification of discovery of a breach of unsecured PHI to affected individuals. The requirements for reporting a breach [the unauthorized acquisition, access or use of PHI that compromises its security or privacy (e.g., lost or stolen PHI)] have been strengthened.Pharmacies, if they haven’t already, may need to modify the risk assessment tools they use to look at potential or actual PHI breaches (e.g., NPP, risk analysis, risk management plan, disaster recovery plan). The pharmacy will also need to evaluate its training on detecting and reporting incidents, breaches and violations of HIPAA.

The documents explaining these new rules are more than 500 pages, meaning that this short summary barely touches the surface of what has changed. It is important to realize that there are many changes in HIPAA’s privacy, security, breach notification and enforcement rules. There will be proactive audits, more audits and stiffer penalties for non-compliance. Covered entities, including pharmacies, must comply by September 23, 2013.

Steps for Pharmacies

Actions that pharmacies can benefit from include:

  • Becoming informed. The new HIPAA rules are lengthy and technical. While committing all 500 pages to memory is unrealistic, it is still beneficial to have a basic working knowledge of these rules. A wealth of resources is available to assist pharmacists, with some resources provided below.
  • Getting legal advice. To ensure compliance, nothing replaces getting expert legal advice that is specific to your pharmacy. To comply with HIPAA, work with your attorney and other consultants as necessary to review and update your Notice of Privacy practice and other HIPAA-related policies, forms, agreements and documents.
  • Having staff members go through training. All employees with access to PHI need to complete training on HIPAA’s new requirements by September 23, 2013. (Information on training resources is provided below.)
  • Modifying necessary forms and documents. Business associate agreements and other forms and documents may need to be revised in order to be compliant.


A host of resources is available with background information about HIPAA, information about steps necessary to comply, training programs, and more. (Please note that by listing these resources and providing links, McKesson is in no way endorsing these sites or vouching for the accuracy of their content.)

HIPAA Background and Compliance Information


You are the sole owner of your pharmacy and in sole control of all aspects of its operations. The information provided here is for reference only and does not constitute legal advice. We make no representations with regard to the content’s comprehensiveness. You are solely responsible for investigating and complying with all applicable laws that govern the operation of your business.
[i] https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
[ii] “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.” Federal Register Vol. 78, No. 17, January 25, 2013.
[iii] Carlos Leyva, “HIPAA Omnibus Rule,” HIPAA Survival Guide, February 3, 2013. http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php
[iv] National Association of Chain Drug Stores. “HHS/OCR HITECH Omnibus Privacy Final Rule Summary.” January 2013.